Enabling Rekey - Cisco FirePOWER ASA 5500 series Configuration Manual

Chapter 38 Configuring SSL VPN Client
none specifies the SVC is removed from the remote computer after the active SVC connection
terminates.
The default is that permanent installation of the SVC is disabled. The SVC on the remote computer
uninstalls at the end of every SVC session.
The following example configures the existing group-policy sales to keep the SVC installed on the
remote computer:
hostname(config)# group-policy sales attributes
hostname(config-group-policy)# webvpn
hostname(config-group-policy)# svc keep-installer installed

Enabling Rekey

When the security appliance and the SVC perform a rekey, they renegotiate the crypto keys and
initialization vectors, increasing the security of the connection.
To enable the SVC to perform a rekey on an SVC session for a specific group or user, use the svc rekey
command from group-policy and username webvpn modes.
Where:
method new-tunnel specifies that the SVC establishes a new tunnel during SVC rekey.
method none disables SVC rekey.
method ssl specifies that SSL renegotiation takes place during SVC rekey.
time minutes specifies the number of minutes from the start of the session until the rekey takes place,
from 1 to 10080 (1 week).
In the following example, the SVC is configured to renegotiate with SSL during rekey, which takes place
30 minutes after the session begins, for the existing group-policy sales:
hostname(config)# group-policy sales attributes
hostname(config-group-policy)# webvpn
hostname(config-group-policy)# svc rekey method ssl
hostname(config-group-policy)# svc rekey time 30
Enabling and Adjusting Dead Peer Detection
Dead Peer Detection (DPD) ensures that the security appliance (gateway) or the SVC can quickly detect
a condition where the peer is not responding, and the connection has failed.
To enable DPD on the security appliance or SVC for a specific group or user, and to set the frequency
with which either the security appliance or SVC performs DPD, use the svc dpd-interval command from
group-policy or username webvpn mode:
Where:
gateway seconds enables DPD performed by the security appliance (gateway) and specifies the
frequency, from 30 to 3600 seconds, with which the security appliance (gateway) performs DPD.
OL-10088-01
svc rekey {method {new-tunnel | none | ssl} | time minutes}
no svc rekey {method {new-tunnel | none | ssl} | time minutes}
svc dpd-interval {[gateway {seconds | none}] | [client {seconds | none}]}
no svc dpd-interval {[gateway {seconds | none}] | [client {seconds | none}]}
Cisco Security Appliance Command Line Configuration Guide
Enabling Rekey
38-5